Cybercrime: The Underground Economy

The success of any industry is reliant on its economics. Cybercrime is no different, maintaining its own economy of commoditized products and services

3 min. read

The success of an industry is reliant on its economics – the ­production, allocation and use of its goods and services. Cybercrime, like any ­other industry­ or business, maintains its own economy of commoditized ­products and services.


The products of the cybercrime economy, similar to any other product in any other industry,­ benefit both the seller and the buyers. The sellers benefit from quick and discrete­ payout and the buyers benefit from “out of the box” malicious operations that can be implemented immediately. These products can be broken down into two main categories: information and resources.

Information includes commodities such as:

  • Stolen personally identifiable information (PII): This includes everything from mass email lists used by spammers to full identity theft packages to commit financial fraud.
  • Exfiltrated organizational information: This includes intellectual capital/property, nonpublic internal data and internal operational details.
  • Harvested authentication credentials: Stolen username and password combinations­ continue to present a significant risk these days, especially when the same credentials are re-used across multiple sites.
  • Pilfered financial data: Unauthorized withdrawals from accounts or charges against credit lines continue to plague account holders. 

Resources include such element as:

  • Access to feature-rich malware: Malware across varying capabilities (e.g., ­information stealers, remote administration tools – RATs, ransomware, ­purpose-built utilities) that demonstrate consistent results and avoid source code leakage can generate significant revenue for associated authors and distributors. 
  • Purchase of system or software exploits: While many white hats elect to support bug bounty initiatives by vendors, there remains a lucrative underground market for reliable, unpatched exploits.
  • Transfer of control for previously compromised machines: This usually applies to always-on servers that can then be used as attack platforms or sold for the information­ they store.
  • Malicious actor training: Training is offered through guidebooks or tutorials on effective tool usage and specific tactics, techniques and procedures (TTPs).


The services offered within the cybercrime economy utilizes a leasing structure, in which access to a product is promised at a set rate for a fixed period of time. The sellers benefit from a guaranteed source of recurrent revenue throughout an extended period of time, and buyers benefit from the continued availability and performance of malicious tools. 

These services include offerings such as:

  • Distributed denial of service (DDoS): These are botnet powered attacks that affect the availability of targeted servers and capabilities.
  • Exploit kits (EKs): As part of the service offering, exploit kits are typically leased with a monthly rate for access to the exploit toolkit, allowing for customized end payloads.
  • Infrastructure rental: These include hosting services for attack platforms, malware updates, configuration, command and control (C2), and other attack lifecycle functions.
  • Money laundering: This is known as the transfer (“money muling”) of illegally obtained funds through accounts and mechanisms in money haven countries remains a key service.

Read our blog series Exploring the Cybercrime Underground to learn more.